Cybersecurity has entered an era of maturity… without having solved the essential issue. Never have organizations invested more, threats have never been so well documented, and the discourse has never been so structured. And yet, the sense of insecurity remains, even intensifies.
Every week brings its share of high‑profile incidents: a company brought to a halt, data exposed, an administration made vulnerable. These events feed a dynamic now well known: awareness, urgency, reaction. Then, until the next incident, a relative return to normalcy.
This cycle is not an accident. It is the product of a model in which fear has become the main engine. A common language across the entire ecosystem (suppliers, CISOs, executives) and one from which it becomes difficult to disentangle oneself.
In France, the ANSSI reports a sustained rise in significant incidents, while large companies and mid-market firms now face regular intrusion attempts, up to daily. In this context, cybersecurity has become a strategic topic, discussed at the highest levels of organizations.
An industry unable to prove its value other than through risk
In most of the business functions, value is measured and communicated readily. Sales rely on revenue, marketing on conversions, operations on efficiency. Cybersecurity, by contrast, must demonstrate… the absence of incidents.
This paradox creates a vacuum. Organizations have little tangible evidence that their investments actually work, as long as no major attack tests the defenses in place. Red team exercises thus become one of the few possible demonstrations: simulate a catastrophe to prove that one could survive it.
This structural difficulty is also reflected in the way cybersecurity communicates. The successes highlighted are invariably tied to negative events: an attack stopped, ransomware contained, a threat neutralized. Even real progress, sometimes substantial, struggles to emerge in public debate once it does not fit a crisis narrative.
A systemic loop sustained by all actors
It would be reductive to attribute this situation to vendors alone. Fear is not merely a commercial lever; it has become a systemic mechanism.
Security leaders themselves use it, often pressed by internal dynamics. In many organizations, obtaining budgets remains easier after a mediated breach than within a proactive strategy. Fear thus becomes a tool for organizational alignment.
Boards of directors also participate in this dynamic. Facing a multi-year resilience roadmap, reactions tend to be measured. Conversely, the presentation of a recent incident affecting a peer triggers immediate attention. Fear simplifies decision-making, where strategy requires accountability.
Buyers, finally, subscribe to this logic by approving structuring projects primarily after incidents. Alignment is not built upstream, but under the pressure of a critical event.
The emergence of artificial intelligence has not alleviated this reliance on fear; it has amplified it to an unprecedented level. AI has become the new catalyst for a fear-driven discourse, with two dominant narratives: that attackers are augmented by near‑unlimited capabilities, and that organizations are fated to chase a perpetual technological race to avoid being left behind.
Recent news around the Mythos model, developed by Anthropic, perfectly illustrates this dynamic. Presented as a technological breakthrough, this model can identify and exploit vulnerabilities at an unprecedented speed and scale, to the point of having detected thousands of critical flaws, some of which remained invisible for decades.
In tests, it even demonstrated the ability to chain multiple vulnerabilities to autonomously construct complex exploits. But beyond its actual capabilities, it is the narrative framing that raises questions. Mythos is pitched as a “super‑hacker” capable of surpassing human experts, fueling a perception of an uncontrollable acceleration of threat.
The paradox is striking: while these technologies could substantially improve detection, remediation, and resilience, they are initially perceived and presented as risk factors. AI does not only transform the threat; it amplifies the way it is told, reinforcing an already deeply entrenched fear economy in the sector.
Meanwhile, the fundamentals have not changed. Exploitation of known vulnerabilities, misconfigurations, or hygiene flaws remain the attackers’ preferred entry points. Yet these less spectacular topics struggle to compete with the narrative power of an AI that can, in minutes, discover and exploit large‑scale weaknesses.
Breaking the fear reflex to build sustainable cybersecurity
Breaking this loop does not require eliminating all forms of fear, which retains a degree of rationality. The challenge is to rebalance it with a clearer articulation of value.
That starts with a shift in storytelling. Cybersecurity is not limited to preventing incidents; it enables organizational transformation, secures innovation, accelerates projects, and streamlines operations. These positive dimensions must become visible and understandable.
It also requires evolving the indicators. As long as dashboards remain saturated with threats and detections, they will continue to feed a distressing view. Conversely, measuring resilience, business continuity, containment times, or architectural progress helps to showcase long‑term dynamics.
Finally, it becomes necessary to rehabilitate the groundwork. Segmentation, least privilege, modernizing architectures, and security hygiene are efforts that are often unseen but decisive. Their recognition remains insufficient in an environment dominated by urgency.
Change the language to change the trajectory
Cybersecurity has become a market structured by fear, to the point that fear now serves as the common language. While it can create urgency, it does not build resilience. It directs investments toward immediate responses, often at the expense of structural transformations.
The result is a security that is perceived as active, but whose actual effectiveness remains difficult to assess. Appearance takes precedence over depth.
The challenge, therefore, is not to deny the economic value of fear, but to question the dependence it has created. Until cybersecurity value can be expressed in ways other than the avoided catastrophe, the industry will remain trapped in its own cycles.
The true breakthrough will come the day when trust, mastery, and the ability to act mobilize as much as fear.
*Damien Gbiorczyk is a cyber-resilience expert at Illumio
